analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

RFQ Request For Quotation.exe

Full analysis: https://app.any.run/tasks/7d29ca1b-5316-483c-938a-8208552a32ec
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 16, 2019, 23:43:22
OS: Windows 10 Professional (build: 16299, 32 bit)
Tags:
stealer
trojan
SecurityXploded
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D06E763D1C6B7E6E01C237EDB03752E0

SHA1:

0A6B74F43F476AE0DBB31C3D982A2046763ED5D0

SHA256:

D94ACE8C997D1EC1F05F05D7EA41882CD0255F078C96C175B61CEBDC66E613BE

SSDEEP:

24576:j0BG9gGUvH+uO4H4444CUjBbxTJL9z+FBn0+glXWELlhvrSoPsmnnygW9l9l:j0PGAeP4H4444CgbxTrY0tFWELl/PsqK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • adobepdf.exe (PID: 452)
      • adobepdf2.exe (PID: 1716)
      • Areada.exe (PID: 2040)
      • ancp.exe (PID: 508)
      • ancp.exe (PID: 3416)

    • Detected SecurityXploded stealer

      • adobepdf.exe (PID: 452)
      • adobepdf2.exe (PID: 1716)
      • cmd.exe (PID: 2864)

    • Stealing of credential data

      • adobepdf.exe (PID: 452)
      • cmd.exe (PID: 2864)

    • Actions looks like stealing of personal data

      • adobepdf2.exe (PID: 1716)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • RFQ Request For Quotation.exe (PID: 3960)
      • xcopy.exe (PID: 3912)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3528)
      • cmd.exe (PID: 3372)

    • Executed via COM

      • DllHost.exe (PID: 1476)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2864)

    • Creates files in the user directory

      • RFQ Request For Quotation.exe (PID: 3960)
      • xcopy.exe (PID: 3912)
      • adobepdf.exe (PID: 452)
      • adobepdf2.exe (PID: 1716)
      • cmd.exe (PID: 2864)

    • Executes scripts

      • RFQ Request For Quotation.exe (PID: 3960)

    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 2864)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x2f9df
UninitializedDataSize: -
InitializedDataSize: 131072
CodeSize: 241664
LinkerVersion: 6
PEType: PE32
TimeStamp: 2013:07:16 19:19:51+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Jul-2013 17:19:51
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 16-Jul-2013 17:19:51
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0003A2EA
0x0003B000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.50844
.rdata
0x0003C000
0x00008FE8
0x00009000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.22595
.data
0x00045000
0x00016FD8
0x00013000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.19436
.rsrc
0x0005C000
0x00010FBC
0x00011000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.41883

Resources

Title
Entropy
Size
Codepage
Language
Type
1
1.318
67624
UNKNOWN
English - United States
RT_ICON
7
2.31894
86
UNKNOWN
English - United States
RT_STRING
109
1.79879
16
UNKNOWN
English - United States
RT_ACCELERATOR
129
3.57295
592
UNKNOWN
English - United States
RT_DIALOG
130
3.37305
340
UNKNOWN
English - United States
RT_DIALOG
139
3.11873
148
UNKNOWN
English - United States
RT_DIALOG
140
3.26439
216
UNKNOWN
English - United States
RT_DIALOG
201
1.98048
20
UNKNOWN
English - United States
RT_GROUP_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
14
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rfq request for quotation.exe wscript.exe no specs cmd.exe no specs conhost.exe xcopy.exe #SECURITYXPLODED cmd.exe PhotoViewer.dll no specs attrib.exe no specs ipconfig.exe no specs #SECURITYXPLODED adobepdf.exe #SECURITYXPLODED adobepdf2.exe ancp.exe ancp.exe areada.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3960"C:\Users\admin\AppData\Local\Temp\RFQ Request For Quotation.exe" C:\Users\admin\AppData\Local\Temp\RFQ Request For Quotation.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3528"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Local\Adobe\Pdf\low\adobel.vbs" C:\WINDOWS\System32\WScript.exeRFQ Request For Quotation.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
3372C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Local\Adobe\Pdf\low\adobe01.bat" /quiet /norestart"C:\WINDOWS\system32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
1920\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.16299.15 (WinBuild.160101.0800)
3912xcopy /y /h /e /r /k /c *.* "C:\Users\admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\"C:\WINDOWS\system32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extended Copy Utility
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
2864C:\WINDOWS\system32\cmd.exe /K "C:\Users\admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adob02.bat"C:\WINDOWS\system32\cmd.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.16299.15 (WinBuild.160101.0800)
1476C:\WINDOWS\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\WINDOWS\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
10.0.16299.15 (WinBuild.160101.0800)
4012attrib +r +a +s +h "C:\Users\admin\AppData\Roaming\Local\Adobe\Pdf\low"C:\WINDOWS\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
2596ipconfig /all C:\WINDOWS\system32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
452adobepdf.exe -f "555.555"C:\Users\admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adobepdf.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
2 463
Read events
2 425
Write events
38
Delete events
0

Modification events

(PID) Process:(3960) RFQ Request For Quotation.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(3960) RFQ Request For Quotation.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3960) RFQ Request For Quotation.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3960) RFQ Request For Quotation.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3960) RFQ Request For Quotation.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3960) RFQ Request For Quotation.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\WScript.exe.FriendlyAppName
Value:
Microsoft ® Windows Based Script Host
(PID) Process:(3960) RFQ Request For Quotation.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\WScript.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(3528) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3528) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3528) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
8
Suspicious files
2
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
452adobepdf.exeC:\Users\admin\AppData\Local\Temp\Login Data
MD5:
SHA256:
2864cmd.exeC:\Users\admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\555.555
MD5:
SHA256:
2864cmd.exeC:\Users\admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\444.444
MD5:
SHA256:
3912xcopy.exeC:\Users\admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adob02.battext
MD5:BF1A87E9304E753A9526A378EA22E2C4
SHA256:D1E87B9F3E2809247C71626F23BC7E55DBCF4312CCB1B39FD7CCA67D0DD246E3
3960RFQ Request For Quotation.exeC:\Users\admin\AppData\Roaming\Local\Adobe\Pdf\low\adobel.vbstext
MD5:2864A0A13AA20777E1C3724DBB1E990A
SHA256:1CABF268659DE553B118090382FCF8966497D7955EBC82D18738EFCA2733BA03
3912xcopy.exeC:\Users\admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adobe01.battext
MD5:E823FDA116058BCEFA286C59F0BD46FD
SHA256:E06C9F973D0583F7431E8DB29816AB4DCE137B3B83D187358DE41E25842D8209
3912xcopy.exeC:\Users\admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adobel.vbstext
MD5:2864A0A13AA20777E1C3724DBB1E990A
SHA256:1CABF268659DE553B118090382FCF8966497D7955EBC82D18738EFCA2733BA03
3960RFQ Request For Quotation.exeC:\Users\admin\AppData\Roaming\Local\Adobe\Pdf\low\adobe01.battext
MD5:E823FDA116058BCEFA286C59F0BD46FD
SHA256:E06C9F973D0583F7431E8DB29816AB4DCE137B3B83D187358DE41E25842D8209
2864cmd.exeC:\Users\admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\adoip.pvctext
MD5:88962C6E9A5F80EA93F4FFDE5D3CCEBC
SHA256:98B6B4625C9565D8D4D30152DEB2E08BA45D21D35E98C18ABB734AA2A9D1AD04
3960RFQ Request For Quotation.exeC:\Users\admin\AppData\Roaming\Local\Adobe\Pdf\low\asas.battext
MD5:C8E1981D75A3357A2E0DACFEE70136C6
SHA256:94FD4D7C63A6DC064BBBB5045D15176ECE07C6003644418AAAF7F22752366F45
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3416
ancp.exe
198.23.57.8:33189
ftp.freehostia.com
Steadfast
US
malicious
3416
ancp.exe
198.23.57.8:21
ftp.freehostia.com
Steadfast
US
malicious
508
ancp.exe
198.23.57.8:21
ftp.freehostia.com
Steadfast
US
malicious
40.90.23.215:443
login.live.com
Microsoft Corporation
US
unknown
508
ancp.exe
198.23.57.8:33441
ftp.freehostia.com
Steadfast
US
malicious

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.90.23.215
  • 40.90.23.235
  • 40.90.23.247
whitelisted
self.events.data.microsoft.com
  • 52.114.88.29
  • 52.114.74.45
  • 52.114.74.43
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ftp.freehostia.com
  • 198.23.57.8
malicious
nexusrules.officeapps.live.com
  • 52.109.124.20
  • 52.109.8.20
whitelisted
config.edge.skype.com
  • 13.107.3.128
whitelisted

Threats

PID
Process
Class
Message
3416
ancp.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3416
ancp.exe
A Network Trojan was detected
MALWARE [PTsecurity] SecurityXploded BrowserPasswordDump
508
ancp.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
508
ancp.exe
A Network Trojan was detected
MALWARE [PTsecurity] PSWTool.SecurityXploded used by Stealer.Separ for Exfiltration
508
ancp.exe
A Network Trojan was detected
MALWARE [PTsecurity] PSWTool.SecurityXploded used by Stealer.Separ for Exfiltration
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
RFQ Request For Quotation.exe